Everything Runs on Software. None of It Is Secure.
Claude Mythos and the Decades of Deprioritized Cybersecurity Coming Home to Roost
On May 12, 2017 a piece of ransomware named WannaCry swept across the internet with unprecedented speed.
Hospitals across the United Kingdom’s National Health Service were forced to cancel surgeries and divert ambulances because their computer systems had stopped working. Medical staff ripped computers from hospital walls in a desperate attempt to contain the spread. Manufacturing plants halted production lines. Telecommunications companies and shipping firms scrambled to limit the damage. From FedEx to Nissan to Deutsche Bahn to China’s PetroChina, business ground to a halt.
Photo: NBC News
WannaCry was built on something called a zero-day, a hidden flaw in software that nobody knows about yet. If an attacker discovers the flaw first, they can exploit it before the developer has had “zero days” to respond.
But sometimes governments discover these weaknesses first. Intelligence agencies will occasionally stockpile them as offensive tools, weapons that could be used to penetrate adversaries’ systems if needed. That strategy carries enormous risk. Once a vulnerability exists, it can escape.
That is precisely what happened with WannaCry. The zero-day was in Microsoft Windows, a software used by hundreds of millions of people worldwide. The ones who discovered it: the U.S. National Security Agency, which gave it the code name EternalBlue and quietly held onto it for years.
Then, on a fine spring morning in April 2017, a mysterious group of hackers calling themselves the Shadow Brokers leaked it online for anyone to find. In the spirit of community, they shared the link on Twitter. Within weeks, criminals had weaponized it. North Korea was later identified as the actor that deployed WannaCry.
Almost every organization in the world is blissfully running software with vulnerabilities it doesn't know about, with cybersecurity often treated as a technical problem for the IT crowd. Not to mention governments around the world sitting on countless zero-days of their own. But until now, finding and exploiting these flaws required highly specialized expertise, the kind that commands hundreds of thousands of dollars on grey markets. AI is about to make that expertise available to anyone.
Expect More of These Moments
Anthropic’s Claude Mythos is only the latest example of what is coming, which the company described as its most capable AI model to date. Anthropic said the system was too dangerous to release publicly, warning that it posed unprecedented cybersecurity risks. Among the examples cited: Mythos had identified critical flaws in some of the world’s most widely used software, flaws that sophisticated security tools and expert engineers had scanned for, and missed, for years.
George Kurtz, CEO of CrowdStrike, one of the world’s largest cybersecurity firms, protecting corporations and governments from digital attacks, warned that the window between vulnerability discovery and exploitation has collapsed. What once took months can now happen in minutes.
Several researchers were quick to challenge Anthropic’s claims, arguing that Mythos may not be dramatically more capable than some available models.
That debate matters, and it’s exactly the kind of scrutiny these claims deserve. But I want to focus on the bigger picture. It doesn’t matter if Mythos delivers ten percent of what Anthropic claims, because the direction of travel is clear. AI systems will keep improving, and we need to treat this moment like a fire alarm for a potentially catastrophic failure of our digital infrastructure.
Software runs our lives: hospital equipment, the payment networks that move salaries and pensions, the electricity grids, subways, planes, airport security systems holding our passport data, the water treatment plants. All of it runs on code.
The Current Cyber Resilience Strategy: Hoping For The Best
If Anthropic’s claims about Mythos are even directionally correct, the company made the right decision in withholding the model. It has also announced a $100 million cybersecurity initiative called Project Glasswing, with partners including Amazon Web Services, Apple, Cisco, Google, Microsoft, and JPMorgan Chase. The effort aims to strengthen defensive capabilities before offensive AI systems become more widely available. This could be genuinely helpful.
But the deeper issue is structural.
Should the fate of our digital infrastructure rest on the internal decisions of a private technology company? This is not a criticism of Anthropic. It is a criticism of the world we have built. A startup in San Francisco is now making decisions about societal cyber risk exposure that sovereign governments have not yet equipped themselves to make.
Anthropic made the right call. Not every company will. And open-source models, where no single actor controls release decisions, may make that question irrelevant entirely.
The Question We Should Be Asking
If a company genuinely knows that the digital borders protecting modern society are not secure in an AI-first world, what is its moral obligation to the public? And what is the responsibility of our governments?
For too long, cybersecurity has been deprioritized, treated as an IT issue for the folks down the hall. That framing needs to end. Cybersecurity belongs in every board meeting. Every strategic plan.
Consider what we demand of the physical world. A car must pass crash tests before it reaches the road. A drug must survive years of trials before it reaches a patient. A building must meet fire codes before anyone walks through the door. We have spent decades building frameworks around the principle that some risks are too serious to be left to good intentions.
Software now runs everything. And we have built almost none of that infrastructure around it.
Sinéad,
This piece lands exactly where it needs to, but I think the deeper signal is even more direct:
We already understand the problem.
WannaCry was a warning. The accumulation of zero-days, the normalization of unknown vulnerabilities, the reactive nature of patch cycles, none of this is new. What’s changed is that AI is removing the illusion that we still have time to manage it incrementally.
The gap between discovery and exploitation collapsing to minutes doesn’t just stress the system, it breaks the model entirely.
At that point, continuing to frame this as a cybersecurity issue misses the larger reality. This is a systems design failure. We’ve built a world where critical infrastructure depends on software that is inherently unverifiable at scale, then layered reactive defenses on top and called it security.
AI isn’t creating the problem. It’s exposing it with precision and speed.
So the real question isn’t whether we need better defenses. It’s why we’re still building systems that require defending in this way at all.
In every other domain, we don’t just respond to failure, we design to prevent and contain it. Software remains the exception, even as it becomes the foundation of everything.
Which brings us to the point you raised around responsibility.
We are past the stage of identifying risk. The risks are clear, widely understood, and increasingly measurable. What’s missing is coordinated implementation.
Not more awareness. Not more warnings.
Execution.
This is where I think the conversation needs to shift. From securing systems to redesigning them. From isolated efforts to coordinated frameworks. From reactive patching to architectures that are continuously verified, adaptive, and aligned with human intent at their core.
Because if private companies are now in positions to determine global cyber risk exposure, that’s not just a governance gap, it’s a signal that we have not yet built the structures required to manage the world we’ve created.
The next phase requires alignment across builders, governments, and institutions to implement what we already know needs to exist.
We don’t need another wake-up call.
We need to start building the response.
George
Instructive post. Well explained. 🙌🏽
This is a terrifyingly accurate diagnosis of our "house of cards."
We keep trying to fix the problem with better policies and "safer" software, but the reality is that the architecture itself is the vulnerability like you said.
Sovereignty isn't safe until it runs on physics, not just software.
We need a system where privacy isn't a promise made by a corporation, but a law of the hardware metabolism.